How It Works

VibeReview connects a local AI IDE to a cloud control plane. This page traces the full lifecycle, from onboarding a repository to seeing telemetry and compliance reports.

The end-to-end flow

Stage by stage

1. Onboard the repository (web app)

Connect a source-control provider under Settings → Connections using a GitHub App or a GitHub/GitLab Personal Access Token, then create a project pointing at a repository. A quick LLM profiling job analyzes the codebase.

2. Generate repository-tailored guardrails (web app)

Profiling produces guardrails customized to that repository — concrete do's and don'ts that reflect the repository's actual frameworks and patterns rather than a generic checklist. Running the architecture profile additionally maps services, trust boundaries, and data flows so guardrails are grounded in the real architecture.

3. Install the CLI (local)

In the project directory, run vibereview init. The CLI installs rules, skills, and an MCP server configuration into your AI IDE and links the project to the web app using an API token. See CLI → Installation.

4. Threat-model the prompt (local, secure by design)

As soon as you write a security-relevant prompt, the installed skills run as a hard pre-write gate. The threat-modelling skill produces a PWNISMS threat model across all seven categories before any code is written.

5. Select and apply guardrails (local, secure by code)

The guardrails-selection skill shortlists the relevant project guardrails, and the AI IDE implements the feature using those deterministic secure patterns. A dependency scan (OSV) checks any newly introduced packages along the way.

6. Sync telemetry (local → cloud)

The IDE writes a structured JSON scan artifact to .vibereview/scans/, and the CLI syncs it to the web app. The telemetry captures threats mitigated, best practices achieved, secure snippets applied, the developer, and OWASP/CWE mappings.

7. Review, report, and tune (web app)

Pull requests are reviewed post-commit; guardrail violations are written back as PR comments.
Dashboards and reports show what was built securely, by whom, and how it maps to compliance frameworks.
Security teams tune guardrails — adding, editing, or removing them as the codebase and policy evolve.

Architecture at a glance

Component	Responsibility
AI IDE (Cursor, Claude Code, Codex, …)	Where the developer writes prompts and code.
VibeReview rules & skills	Installed into the IDE; enforce threat modeling, guardrail selection, dependency scanning, and sync.
MCP server	Bridges the IDE to VibeReview's project context and guardrails.
VibeReview CLI	Installs the above; syncs scan telemetry to the cloud.
VibeReview web app	Repository profiling, guardrail generation, PR review, telemetry, reports, settings.
Source-control provider	GitHub / GitLab connection for repository access and PR review.

Head to the Quickstart to set this up for a real project.

The end-to-end flow​

Stage by stage​

1. Onboard the repository (web app)​

2. Generate repository-tailored guardrails (web app)​

3. Install the CLI (local)​

4. Threat-model the prompt (local, secure by design)​

5. Select and apply guardrails (local, secure by code)​

6. Sync telemetry (local → cloud)​

7. Review, report, and tune (web app)​

Architecture at a glance​

Next​